If you want to use persistence.xml instead of setting the Oracle Adaptive Access Manager database credentials in CSF, go through the following steps. However this approach is not recommended and supported.

Go to the work folder where you copied the cli folder. Open the file conf/bharosa_properties/oaam_cli.properties in a text editor and set the property value of oaam.db.toplink.useCredentialsFromCSF to false.

Update the Oracle Adaptive Access Manager database connection details in the META-INF/persistence.xml file by editing the relevant eclipselink.jdbc properties, as in the following examples:

29.3.2.2CLI Parameters

Indicates whether the entities for the module being exported would be added to the database or deleted from the database on importing the file. Default is add

exportmode

Indicates whether the result of export will be a ZIP file or XML file. Default is ZIP.

includeelements

Indicates whether the group elements need to be included in export. Default is true. This is applicable only for export of groups.

listelemcmd

Indicates whether the group elements will be added, deleted for replaced in the database when this file is imported. Default is add. This is applicable only for groups export.

outdir

The output folder where the resulting files from export will be saved. Default value is current folder.

batchmode

Controls the database commits when list items are imported in a batch. When the batch reaches its limit, the objects are inserted into the database. If batchmode is equal to true, the database update is also committed. By default, batchmode is set to false.

submodule

Used to specify the type of groups that should be included in export. Default value is all. This is applicable for groups export.

loadType

Used to specify the type of properties that need to be exported. If not specified then all type of properties are included. This is applicable for properties export.

29.3.2.3 Supported Modules for Import and Export

The list of supported modules for Oracle Adaptive Access Manager 11g is shown in Table 29-2.

Table 29-2 Support Modules

Module

Entity Name

groups

groups

policies

models

questions

questions

validations

validations

answer hint

answerHint

properties

properties

conditions

conditions

questions for translation

questionsForTranslation

patterns

patterns

entities

entities

transactions

transactions

configurable actions

dynamicActions

scheduler task groups

taskGroups

The 10g policy set and policy modules are not longer valid in 11g.

The difference between CLI import/export in 10g and 11g is that the module models and policies means the same: -module policy is same as -module models.

You may note that inapplicable options will be silently ignored (for example, the outdir option used for import) and options with lower precedence will be overridden (for example, listelemcmd is irrelevant when includeelements is equal to false).

29.3.2.5 Export of Files

Here are examples of export options:

Export Properties

To export all the properties irrespective of loadtype, issue the following command:

$ sh runImportExport.sh -action export -module properties

To export all the properties of any particular loadtype, issue the following command:

The group elements for groups G1 and G2 will be replaced by the elements in the ZIP file during the import of the file resulting from this export command. For example, if group G1 has elements e1 and e2 in the database, and the ZIP file has elements e2 and e3, after the execution of the import, group G1 will have elements e2 and e3. However, if the value of listelemcmd had been "add," then after the import, G1 would have elements e1, e2 and e3. If the value specified was "delete," then after import, group G1 would have element e1 only as e2 would have been deleted.

Export Policies to DESTDIR, But Do Not Create a ZIP File

To export policies to DESTDIR, but not create a ZIP file, issue the following command:

If exportmode is "file," then the data is exported as one or more XML files.

Note:

The command does not work for modules like policies and questions which have dependent data. A error will occur with the message that a ZIP stream is expected.

29.3.2.6Import Options

The batchmode option controls the database commits when list items are imported in a batch. When the batch reaches its limit, the objects are inserted into the database. If batchmode is equal to true, the database update is also committed. By default, batchmode is set to false.

batchmode {true | false}

Note:

batchmode is not to be used in conjunction with importing other modules. It should be used with Lists only.

Here is an example of batchmode usage:

Import Groups in Batch Mode

To import groups in batch mode, issue the following command:

$ sh runImportExport.sh -action import -module groups -batchmode true

29.3.2.7 Importing Multiple Types of Entities in One Transaction

The examples preceding cover only those scenarios where the entities to be processed are of the same type. To be able to process different types of modules together, the command line has been altered to support multiple modules. All entities specified in a command are processed in a single transaction, which allows a related set of entities to be used together to ensure the "all or nothing" approach.

Here are examples of importing modules together:

Import Various Modules Together

To import various modules together, issue the following command:

$ sh runImportExport.sh -action import

-module groups 5grps.zip

-module models model1.zip

Note:

The action parameter is not to be repeated, but only the command from the -module parameter is repeated as per the different items to be imported. The order of the items supplied in the command line is retained for both, the type of entities, and the files for each entity.

29.3.2.8 Multiple Modules and Extra Options (Common vs. Specific)

Support for multiple modules raises many questions:

What about the extra options?

How to specify options common to all modules?

How to specify options specific to a certain module, even though it has been defined as a common option?

The following things can be kept in mind:

When writing an import or export command, keep in mind that -module is considered as the beginning of a new set of options. Everything that follows -module forms one set of options.

Everything that is specified before the first -module option is taken as a set of common options, which are applied to each -module.

If a certain option is specified as a common option and is also specified as a module specific option, the specific value will take precedence.

Examples are:

Export Everything to "all" Directory, but Policies to "policies" directory

To export everything to "all" directory, but policies to "policies" directory, issue the following command:

$ sh runImportExport.sh -action export -outdir all

-module models -outdir models

-module groups

Export Groups G1 and G2 for Delete Items, and G3 and G4 for Replace Items

To export groups G1 and G2 for delete items and G3 and G4 for replace items, issue the following command:

$ sh runImportExport.sh -action export

-module groups -listelemcmd delete G1 G2

-module groups -listelemcmd replace G3 G4

29.3.2.9Transaction Handling

Transaction handling is different from imports and exports.

Import operates strictly in one transaction, except when using batch mode for importing lists. If there is any error in importing any entity for any module, the entire process is rolled back. Thus, no database updates will be committed. You may also note that though import strictly follows one transaction, it does not break down if it encounters invalid items in a list (for example, importing a city with an incorrect state or a country, and so on.) A warning message is logged and the import process continues, ignoring such items.

Export operates on a "best effort" basis. If an export for any entity fails, it continues with the next entity. The reason is that export does not perform any database updates. It only selects information from the database and places it into files.

29.3.2.10 Upload Location Database

29.3.3 Globalization

For this release, CLI is not globalized.

29.4 Importing IP Location Data

This section describes how to import IP location data into the Oracle Adaptive Access Manager database. This data is used by the risk policies framework to determine the risk of fraud associated with a given IP address.

29.4.1.1 Setting Up for SQL Server Database

To load data to Microsoft SQL Server database, sqljdbc.jar should be copied to a third party directory. This file can be downloaded for free from Microsoft at http://www.microsoft.com/downloads/details.aspx?FamilyID=6d483869-816a-44cb-9787-a866235efc7c&DisplayLang=en

29.4.1.2 Setting Up IP Location Loader Properties

Change to the <ORACLE_MW_HOME>/<IAM_HOME>/oaam/cli directory and make a copy of the sample bharosa_location.properties file.

cp sample.bharosa_location.properties bharosa_location.properties

Update bharosa_location.properties with the location data details as in the following example. The location data should be obtained from one of the supported vendors (ip2location, maxmind, Quova/Neustar).

Note that the properties marked as "Advanced" are not to be changed in general.

Table 29-3 IP Loader Properties

IP Loader Properties

Description

location.data.provider

quova or ip2location or maxmind

location.data.file

/tmp/quova/EDITION_Gold_2008-07-22_v374.dat.gz

location.data.ref.file

/tmp/quova/EDITION_Gold_2008-07-22_v374.ref.gz

location.data.anonymizer.file

/tmp/quova/anonymizers_2008-07-09.dat.gz

location.data.location.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.blocks.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.country.code.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.data.sub.country.code.file

only if maxmind location data is to be loaded; else leave this property unset/blank

location.loader.database.pool.size

number of threads to use to update the database

location.loader.dbqueue.maxsize

Advanced: maximum number of location records to be kept in queue for database threads

location.loader.cache.location.maxcount

Advanced: maximum number of location records to be kept in cache, while updating existing location data

location.loader.cache.split.maxcount

Advanced: maximum number of location split records to be kept in cache, while updating existing location data

location.loader.cache.anonymizer.maxcount

Advanced: maximum number of anonymizer records to be kept in cache, while updating existing location data

location.loader.database.commit.batch.size

Maximum number of location records to batch before issuing a database commit

location.loader.database.commit.batch.seconds

Maximum time to hold an uncommitted batch

location.loader.cache.isp.maxcount

Maximum number of ISP records to be kept in cache

29.4.1.3 Setting Up for Loading MaxMind IP data

Before running the IP location loader, Blocks.csv file from MaxMind must be preprocessed with the following commands:

29.4.1.4 Setting Up Encryption

29.4.1.5 Loading Location Data

After completing the setup detailed preceding, run the following command to load the location data into the Oracle Adaptive Access Manager database.

Set the JAVA_HOME environment variable to point to the location of the JDK.

Make sure the JAVA_HOME environment variable is set to the JDK certified for the Identity Management Suite for 11g.

Run the loadIPLocationData script.

From bash shell, execute loadIPLocationData.sh

From Windows command prompt, execute loadIPLocationData.cmd

The command returns 0 when the data load is successful; on failure it returns 1.

29.4.2 System Behavior

The IP location loader utility reads the information from the IP location data files (from Quova/Neustar or ip2location or maxmind) to populate the IP location tables in the Oracle Adaptive Access Manager system. The first time the utility is run against a new database, it inserts one or more rows into the vcrypt_ip_location_map for each record in the data file. It also creates a new record in vcrypt_country for each unique country name in the data file, a new record in vcrypt_state for each unique combination of country name and state name in the data file, and a new record in vcrypt_city for each unique combination of country name, state name, and city name in the data file.

When the IP location loader is run with a new data file against an already populated database, it skips records in the datafile that have matching, identical records in the vcrypt_ip_location_map table. It creates a new row in the vcrypt_ip_location_map for each record in the data file whose FROM_IP_ADDR does not already appear in the database. It updates the rows in the vcrypt_ip_location_map whose FROM_IP_ADDR matches the record in the data file, but has different data in other columns. The loader also creates new countries, states, and cities that do not already exist in the database.

29.4.3 Quova/Neustar File Layout

The Quova/Neustar data file is a pipe-delimited ('|') file, with 29 fields on each line, and one record per line. The information in these tables comes from Quova/Neustar's GeoPoint Data Glossary. In the following table, IP represents the vcrypt_ip_location_map table, CO represents the vcrypt_country table, ST represents the vcrypt_state table, and CI represents the vcrypt_city table.

The file layout is as follows:

Table 29-4 Quova/Neustar File Layout

Quova/Neustar Field

Oracle Adaptive Access Manager Field

Description

Start IP

IP.from_ip_addr

The beginning of the IP range, also used as an alternate primary key on the vcrypt_ip_location_map table.

User IP is located within a network block that has tested positive for anonymizer activity.

aol

3

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol pop

4

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol dialup

5

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

aol proxy

6

User is a member of the AOL service; The user country can be identified in most cases; any regional info more granular than country is not possible.

pop

7

User is dialing into a regional ISP and is likely to be near the IP location; the user could be dialing across geographical boundaries

superpop

8

User is dialing into a multistate or multinational ISP and is not likely to be near the IP location; the user could be dialing across geographical boundaries.

satellite

9

A user connecting to the Internet through a consumer satellite or a user connecting to the Internet with a backbone satellite provider where no information about the terrestrial connection is available.

cache proxy

10

User is proxied through either an internet accelerator or content distribution service.

international proxy

11

A proxy that contains traffic from multiple countries.

regional proxy

12

A proxy (not anonymizer) that contains traffic from multiple states within a single country.

mobile gateway

13

A gateway to connect mobile devices to the public internet. For example, WAP is a gateway used by mobile phone providers.

none

14

Routing method is not known or is not identifiable in the preceding descriptions.

unknown

99

Routing method is not known or is not identifiable in the preceding descriptions.

29.4.3.2 Connection Types Mapping

This represents OC-3 circuits, OC-48 circuits, and so on, which are used primarily by large backbone carriers.

tx

2

This includes T-3 circuits and T-1 circuits still used by many small and medium companies.

satellite

3

This represents high-speed or broadband links between a consumer and a geosynchronous or lowearth orbiting satellite.

framerelay

4

Frame relay circuits may range from low to highspeed and are used as a backup or alternative to T-1. Most often they are high-speed links, so GeoPoint classifieds them as such.

dsl

5

Digital Subscriber Line broadband circuits, which include aDSL, iDSL, sDSL, and so on. In general ranges in speed from 256k to 20MB per second.

cable

6

Cable Modem broadband circuits, offered by cable TV companies. Speeds range from 128k to 36MB per second, and vary with the load placed on a given cable modem switch.

isdn

7

Integrated Services Digital Network high-speed copper-wire technology, support 128K per second speed, with ISDN modems and switches offering 1MB per second and greater speed. Offered by some major telcos.

dialup

8

This category represents the consumer dialup modem space, which operates at 56k per second. Providers include Earthlink, AOL and Netzero.

fixed wireless

9

Represents fixed wireless connections where the location of the receiver is fixed. Category includes WDSL providers such as Sprint Broadband Direct, as well as emerging WiMax providers.

mobile wireless

10

Represents cellular network providers such as Cingular, Sprint and Verizon Wireless who employ CDMA, EDGE, EV-DO technologies. Speeds vary from 19.2k per second to 3MB per second.

consumer satellite

11

unknown high

12

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown medium

13

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown low

14

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.

unknown

99

GeoPoint was unable to obtain any connection type or the connection type is not identifiable in the preceding descriptions.